Cybersecurity is one of the most daunting responsibilities mutual fund boards must confront, and so few on the board are well-versed in it. ACA Compliance Group’s James Pappas and Askari Foy discuss what’s needed to ensure the board understands the threats the organization faces.
Imagine if you were tasked with understanding an element of your job outside of your job description, and that understanding this element, if not done correctly, may result in dramatic losses and/or reputational risk for your organization.
But in the age of cybercrime, where financial services organizations are the second-most likely sector at risk for a cyberattack, cybersecurity has to be top of mind for each employee in the organization, from entry-level staff to senior management. Moreover, for mutual fund boards of directors, cybersecurity is a daunting task and one with many oversight responsibilities.
The SEC has made it clear by delineating cybersecurity as a top priority that it is a crucial element of board oversight, currently on its third cyber sweep in the last six years. But that’s easier said than done. Most mutual funds boards of directors meet only four to six times per year and are sometimes comprised of retired mavens of industry with numerous other roles and responsibilities. Directors who sit on multiple boards and engage in their own pursuits often have limited time to dedicate to understanding this element of their oversight role.
Fund boards wrestle with identifying how to effectively include cybersecurity in their oversight responsibilities. Cybersecurity is highly technical, rapidly evolving, requires continuous vigilance and demands significant ongoing resources. And while solutions are expensive, failures in this area are far more costly. Like other oversight roles, directors are charged with exercising their business judgment in oversight, not management.
Mutual fund boards of directors are tasked with understanding the threats, defenses, tools, infrastructure, human capital and monetary costs of cybersecurity, but they can only do so when given the proper tools. When technologists, even at the C-suite level, present to the board on the state of cybersecurity for their fund, more often than not, they’re speaking a completely different language – one that boards of directors struggle to understand.
In an age where not just financial institutions, but also regulators themselves have invested significant cost in understanding and adopting cybersecurity technology, both sides have become far more sophisticated. The SEC’s information request list has become far more detailed, and thus necessitates more detailed responses during exams. As the SEC has continued to stress cybersecurity, boards of directors stress as well.
In order for mutual fund boards of directors to properly do their jobs, the relatively few and far between meetings must be conducted in an efficient manner that results in a shared understanding for both parties and the tackling of business-critical risks. A framework for oversight can bridge the gap between technologists and boards of directors, creating a “Rosetta Stone” for the mutual understanding and appreciation for the policies and procedures in place to address cybersecurity.
Technologists have a tendency to believe that the more detailed and quantitative they can be in presentations to boards of directors, the better. But that tendency can be counterproductive, as what boards of directors need, beyond anything, is an understanding of the critical elements to business risk when it comes to cybersecurity. An effective conversation on cybersecurity between the mutual fund board of directors and the service provider takes planning, dialogue, pushing and compromising. At the conclusion of an effective meeting, the following questions should have been answered:
- How is that to be done to the satisfaction of all parties concerned?
- What are the topics, presentations and proof statements that address that business risk?
- What will be the structure of the long-term oversight?
- What ongoing governance and fund compliance processes does cybersecurity fit into?
For example, a director may have a question around how many times the firewall has been breached. But a more effective question is, “how sophisticated are these attacks?” and “what have we done about understanding this and protecting against that?” Turning the question into a qualitative discussion addressing the business risks at the root of the problem is far more effective than understanding the amount of times a cyber event has occurred.
Patches are another top-line, yet confusing item discussed during board meetings. There is often a misunderstanding by the board around the role of patches. Though it’s of course important to have patches in place, directors do not realize that if they start to pile up and go unaddressed, this can lead to cyber vulnerability. Cybersecurity meetings are also typically the time where boards of directors review their third-party software vendors and assess performance – also an area where a lack of shared language can cause a disconnect, as third-party risk has become a top underlying cause of cyber breaches.
A board meeting on cybersecurity can be likened to a homeowner purchasing a house. As a prospective buyer gets closer to closing the deal, they have more in-depth and probing questions about specific details, including the state the house is in, and other smaller concerns begin to arise. While prospective homeowners may not feel comfortable asking all the questions that come to mind, the most astute homebuyers make sure they do before making what is often the biggest purchase of their lives.
Similarly, boards of directors evade asking questions related to cybersecurity, as they feel they do not have the domain expertise to do so and fear they do not even know the questions to ask. But management and the board share a fiduciary interest in a functional security program. If a “Rosetta Stone” is built to bridge the gap in understanding and expertise, directors will walk away form a cyber meeting able to exercise informed business judgment and do right by their stakeholders.